Hi,
Try enabling this feature and see how it goes:  https://odoo-community.org/shop/verify-email-at-signup-545

Thanks

Please check:-

https://apps.odoo.com/apps/modules/18.0/recaptcha_signup

I've just found out that the e-mail addresses in the fake accounts are real. Not only the majority of them aren't being returned, but some are giving back automatic away replies set up by users.

This is a bigger issue than I thought, as the domain might be flagged as spammer over time.

Did anybody find any solutions? Two days ago I updated and upgraded Ubuntu services and it got worse...

Same issue here.

Exactly the same !

100 fake accounts are being accepted by Odoo every day since 1 month approx.

ReCAPTCHA V3 is not able to avoiding them, no way to stop them even on max score defense (1.0).

Email validation does not fix at all, because spammers are anyway registering. Odoo default allow web account sign-up, no matter email being verified or not. Even not verified, any sign-up account is being create as not-connected "portal user" and partner "contact". 

Thas is a real flow at Odoo.

There is no way to stop them.

HELP.

PS: we are on self hosted Odoo.

This looks like a coordinated attack, with 2 processes running from the same machine, and constantly switching their VPN host. 

There are multiple measures that you can put in place just to disable it, but that doesn't mean the attacker will not adapt to those measures.

First of all, make sure you are not using any default passwords for your database or for your Oddo configuration.
Set in place a second validation for the username, for instance, right now, the bot is creating users with a lot of uppercase letters. 

You can force usernames to only have one uppercase letter and those accounts will not be allowed.
You could also set in place a human validation system (CAPTCHA)  when the account is created, to limit bot accounts. 

Not allowing more than one account to be created from the same IP is another possibility, that will immediately reduce half of those account creations. 

@patrick could you please send-me the module to? my emails is mendez.foto@gmail.com

Hi Patrick ! can I get your module please ? 

This is my Email: humanizar.do@gmail.com

thank you very much :) 

Normally, bots fill in all fields. Couldn't we consider adding a hidden field to the registration form and, if it is filled in, prevent the registration from proceeding?

@patrick

Please check your email

I'm also having this issue, I removed the option for the portal users to be able to request a password reset to avoid spamming. I'm interested in the module solution if possible. 

Hi all
Have the Same issue. 
The comment out of signup form is no option for me. Only temporary.

Is there anyway to fix this issue?

Greetings,

Exactly same issue here. 

Anyone with a solution? 

I have commented out the signup/login webpage. I add portal users manually anyway. The last couple of days no new fake accounts have appeared.